1 | initial version |
It may surprise you, but Wireshark is not a packet capture tool...
Wireshark is a packet analysis program, that (tries to) seamlessly integrate with packet capture tools. It's main packet capture tool is dumpcap, but there are several so called 'extcap' tools available as well. Since you seem to be involved in Ethernet packet capture the focus will be on dumpcap.
The primary difference between packet capture and packet analysis tools is that the former just captures packets, while the latter just analyses packets. In for instance tcpdump these functions are combined, while Wireshark keeps them separate.
Now why does the crash happen? The dumpcap program is happy to capture any packet it gets and send it on to a file for whoever wants it (with restrictions, but that's the base premise). It can then forget about the packet. Wireshark however uses the packets it receives and builds up state around the packets and their relationships. It's this cumulation of state that eventually overwhelms the memory of the system that runs Wireshark, causing the OS to terminate the program.
How to resolve this? For one, look more carefully at your intended purpose. Why are you capturing packets? It seems you're not at all interested in all packet details. Then why use a packet analysis tool? Probably for the convenience of statistical analysis it provides. Running dumpcap with multiple capture files setting can help limit the amount of memory Wireshark needs to provide you the statistics. But that may be less convenient. Instead have a look at tshark, which uses the same packet analysis as Wireshark. Use the option -Z,io.stat
for instance to generate statistics, which you can then process further in the overview you need.
Are there better tools for this particular job? Have a look at ntopng. You will probably like it.